Bug#611229: ejabberd: LDAP auth fails after upgrade

Wed, 26 Jan 2011 22:06:17 -0800 

tag 611229 +moreinfo
thanks

On Thu, Jan 27, 2011 at 12:23:24AM +0000, ian wrote:

> After upgrading from 2.1.3-2 to 2.1.5-3 ejabberd fails to authenticate
> any users. We are using LDAP. A downgrade fixes the issue.
[...]
> however when an admin user attempts to log in via the web interface it
> returns an error:
> 
> =ERROR REPORT==== 2011-01-26 22:36:38 ===
> E(<0.519.0>:ejabberd_auth:256) : The authentication module ejabberd_auth_ldap 
> returned an error
> when checking user "ian" in server "example.com"
> Error message: {{case_clause,
>                  {'EXIT',
>                   {function_clause,
>                    [{eldap,'and',
>                      [{'or',
>                        [{equalityMatch,
>                          {'AttributeValueAssertion',"objectClass",
>                           "exampleUser"}},
>                         {equalityMatch,
>                          {'AttributeValueAssertion',"objectClass",
>                           "exampleIT"}}]}]},
[...]
>                 [{eldap_filter,parse,2},
[...]
> =ERROR REPORT==== 2011-01-26 22:36:38 ===
> W(<0.519.0>:ejabberd_web_admin:220) : Access of "i...@example.com" from 
> "10.4.1.241" failed with error: "inexistent-account"
[...]
> {auth_method, ldap}.
> {ldap_servers, ["alpha.ldap.example.com", "ldap.example.com"]}.
> {ldap_base, "ou=users,dc=example,dc=com"}.
> {ldap_uids, [{"mail", "%u@%d"}]}.
> {ldap_filter, "(&(|(objectClass=exampleUser)(objectClass=exampleIT)) 
> (|(accountStatus=active)(accountStatus=migrate)) )"}.

Could you please remove the spaces embedded into ldap_filter's value,
retry and report back if it fixes the problem for you?
The idea is that according to my cursory reading through RFC 4515 [1],
it does not allow whitespace before/between/after assertions in the
"filter compositions" (in fact, anywhere except in the values, it seems),
and LDAP parser has been changed in 2.1.5 (or 2.1.4, I can't recall) to
allow usage of the so-called extensible matching rules in the filter.
That change could, in principle, fix LDAP filter parsing rules as a
byproduct invalidating your ldap_filter.

1. http://tools.ietf.org/html/rfc4515




-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to